Feed

25 more domains added to blocklist

Posted on February 14th, 2008 in New Domains,spam,Storm Worm by dglosser

25 additional bh-dns blocklist domains, from various sources. Includes trojans, fast-flux domains, top spam domains, etc:

987408.com aaahme (dot) info
alaskanloxajz (dot) com biggerlongerbetter (dot) com
boratchik (dot) com denizendream (dot) org
destroythemoon (dot) com fortunebird (dot) biz
geremsihesel (dot) com hitijeoairnv (dot) biz
iowandream (dot) info jeennervel (dot) com
jieneesterns (dot) com kentuckianfuker (dot) com
leadygyved (dot) com lovesinchesadds (dot) com
lovesitlongerst (dot) com manukazorada (dot) biz
moonstarfood (dot) com negativebeats (dot) com
netzakdjuq (dot) biz rideherhardwets (dot) com
sadukkanora (dot) com shorterisnotgosh (dot) com
unbestersmaven (dot) com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Storm Worm Valentines Day Spam

Posted on February 13th, 2008 in Domain News,Storm Worm by dglosser

The Internet Storm Center reports the destroythemoon.com and moonstarfood.com (fast-flux) are being used in the latest Storm Worm Valentine’s day spams. Will be added tonight, but you shouldn’t wait….

Update: block 987408.com as well. Sunbelt Blog reports spam with a link to this domain, containing a very nasty and dangerous trojan.

20 New Malicious Domains to Block

Posted on February 13th, 2008 in New Domains,Storm Worm by dglosser

From various sources:

aaakemegood24 (dot) com aaauaa (dot) info
agoga (dot) com blagoinc (dot) info
bzx (dot) cn cfm48 (dot) com
ddlsite (dot) com doginhispen (dot) com
fapparatus (dot) com freecodesource (dot) com
gicoupler (dot) com gxgxy (dot) net
hotbb (dot) cn makemegood24 (dot) com
micralokp (dot) biz my-nude-girl (dot) com
perfectchoice1 (dot) com portki (dot) info
skitodayplease (dot) com stabilt (dot) se
whataboutadog (dot) com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

domains.txt file is the complete list along with original reference
BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Happy Valentines Day From the Storm Worm

Posted on February 11th, 2008 in Storm Worm by dglosser

Arbor Networks and SpamWiki, among others, reports Happy Valentine Day Storm Worm Spam with varying subjects:

  • Sending You My Love
  • A Toast My Love
  • Your Love Has Opened
  • Sending You My Love
  • When I’m with You
  • Our Love is Free
  • When You Fall in Love
  • A Token of My Love
  • I Love Thee
  • Hugging My Pillow and more….

For now, the BadGuys are using IPs in their email. EmergingThreats has a bunch of Storm Sigs and IP blocklists to catch this stuff.

SpamWiki seems to always has the most up-to-date information on the Storm Worm and other Spam.

DNS-BH Update: 95 New Malicious Domains Added

Posted on February 10th, 2008 in New Domains by dglosser

95 New Domains added, mainly from the emergingthreats sandbox:

51edm (dot) net ymct-vtvcp (dot) com
aarmrgdxrv (dot) com adastra-ars (dot) ru
adtrgt (dot) com afhncitbkg (dot) com
ahcieqdgbv (dot) com attockonline (dot) com
avpkav (dot) com babaooo (dot) iespana (dot) es
barmy-army (dot) org blacktiehsbdcs (dot) com
bpmuebles (dot) com busy (dot) jetojm (dot) ch
carordriver (dot) com centerkras-tv (dot) info
centerkras-tv (dot) name centerkras-tv (dot) tv
claimsrw (dot) com cluster-club (dot) info
cookingluck (dot) com cvxj-ygco (dot) com
cvxjygco (dot) com dirty (dot) eiheihre3 (dot) com
emriz (dot) com ezcoolpages (dot) com
fhuby (dot) com ftp (dot) kit (dot) net
getyouneed (dot) com healthlike (dot) com
holkers (dot) net host-good (dot) org
ihshsd8 (dot) com iloveeverybody (dot) kz
iloveeverybody (dot) tj infulizing (dot) cn
irc-evolution (dot) org irc (dot) virus (dot) org (dot) nz
jobusiness (dot) org l4m3r (dot) biz
livecheck (dot) org lntop (dot) info
loancitycar (dot) com loansutah (dot) org
locop (dot) net mangleworld (dot) com
mulfika (dot) cn maydaynet2008 (dot) co (dot) uk
mqbol (dot) com masstt (dot) emncjdopok (dot) info
mymysticporn (dot) com mystic-r0x (dot) com
otlili (dot) cn outerinfo (dot) net
pessoal (dot) ws q8pilots (dot) net
r0xlink3d (dot) net reddii (dot) org
redmed (dot) ru search-empire (dot) info
sejour-crete (dot) com soidudrf (dot) com
somenudefuck (dot) com sp4m (dot) info
structuredreading (dot) com suitedhealth (dot) com
super-tds (dot) info tetovahacker (dot) ch
thezirius (dot) com timoxin (dot) cn
top-pharma (dot) info toxiclink (dot) org
toxiclinkz (dot) net toxiclinkz (dot) org
tw7890 (dot) com unicat (dot) org
vsfuzi (dot) com whatmetodonow (dot) org
whitepony (dot) info winxpperformance (dot) com
winxpspeedup (dot) com wpupdates (dot) com
xhfrzjwsel (dot) cn xiuzhe (dot) com
xpdefender (dot) com xtraload (dot) net
yanxiau (dot) cn yfyculp (dot) com
yfyculpygco (dot) com ygco-awnn (dot) com
ygco-cvxj (dot) com ygco-xcrh (dot) com
ygcoawnn (dot) com ygcocvxj (dot) com
ygcovtvcp (dot) com  

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND  format
domains.txt file is the complete list along with original reference

DNS-BH List Cleanup 111 domains removed

Posted on February 8th, 2008 in Domain News by dglosser

We have just recertified the first set of domains (most of which were associated with coolwebsearch), which has resulted in 111 domains removed.

The general criteria for removal: the domain not listed in any forums, antivirus or antimalware web sites, blogs, etc. as being associated with malware for approximately 3 years.

Diff files have been provided.

dns-bh domain blocklist update

Posted on February 5th, 2008 in New Domains by dglosser

New domains, mainly from emergingtheats sandbox:

3rb69 (dot) com 4irc (dot) com
aaathemes (dot) com alfree5 (dot) info
chnsystem (dot) com d0d0n0 (dot) info
daw00dbhai (dot) info explorethepearl (dot) com
flibbernet (dot) homelinux (dot) org winquickupdates (dot) com
gayyree (dot) info hacktalk (dot) net
hzs (dot) cn kronicx (dot) com
leechnet (dot) net malwarecore (dot) com
meoryprof (dot) info qoogler (dot) com
quara-best (dot) com ryan1918 (dot) com
s10 (dot) dynu (dot) net serv1 (dot) gayyree (dot) info
svcs (dot) ma (dot) cx swapixtreme (dot) com
swiifatecihno (dot) com thefreesite (dot) com
trojan8 (dot) com voodofiles (dot) com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

Malicious Banner Ads

Posted on February 5th, 2008 in Domain News,rogue antivirus by dglosser

The Spyware Sucks Blog has several reports on malicious banner ads. Most are promoting rogue antispyware programs.  Will be adding to dns-bh blocklist on the next update.

DNS-BH List Cleanup

Posted on February 4th, 2008 in Domain News by dglosser

Removed tinyurl from the dns-bh file.

Coolwebsearch domains are currently being re-validated (check the domains.txt for progress).